MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d82cb4755924ead169ce150c3e22d12a1820d92e65bf5dfa4c7003b3147441f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d82cb4755924ead169ce150c3e22d12a1820d92e65bf5dfa4c7003b3147441f3
SHA3-384 hash: a0294480727cc17f6c0fd2072ae0318e080b9982118ff34543210d3a116cc1a76465b8a388fd5c5daf6e94ae6133727d
SHA1 hash: 799b079e9efb3521bd6221f7b8d1ee0276586a78
MD5 hash: 681453e7b08df68d87e2389fd46f2fbc
humanhash: kitten-happy-potato-hot
File name:681453e7b08df68d87e2389fd46f2fbc.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:128'000 bytes
First seen:2021-08-13 14:30:04 UTC
Last seen:2021-08-13 16:08:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 1536:d0miL+Xcfwr51ehXhREcmx1+k8fNO8mKiEa9HO86rFyfcXZz:2qQO1ZNuk8w828rFYet
Threatray 246 similar samples on MalwareBazaar
TLSH T136C3A1E7B03CA46CC0141B34E421FE477D668EF5C9C1B539A141FBE6AA3A258CEE416D
dhash icon 1cdcccc4d2f2e871 (6 x RedLineStealer)
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
681453e7b08df68d87e2389fd46f2fbc.exe
Verdict:
Malicious activity
Analysis date:
2021-08-13 14:32:01 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/06d02ad9-0778-4cfc-83b0-211f88f085e2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179005/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.DVF.genEldorado.7751.22275.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt to an infection source
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a process with a hidden window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Creating a window
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Query of malicious DNS domain
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Sending a TCP request to an infection source
Sending an HTTP GET request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/832491
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 464932 Sample: LNIJ7WPRlR.exe Startdate: 13/08/2021 Architecture: WINDOWS Score: 100 54 Multi AV Scanner detection for domain / URL 2->54 56 Antivirus detection for URL or domain 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 3 other signatures 2->60 7 LNIJ7WPRlR.exe 15 6 2->7         started        12 WinHoster.exe 2 2->12         started        14 WinHoster.exe 2 2->14         started        process3 dnsIp4 38 music-sec.xyz 172.67.190.140, 49732, 80 CLOUDFLARENETUS United States 7->38 40 iplogger.org 88.99.66.31, 443, 49735, 49736 HETZNER-ASDE Germany 7->40 42 192.168.2.1 unknown unknown 7->42 30 C:\Users\user\AppData\Roaming\4945130.exe, PE32 7->30 dropped 32 C:\Users\user\AppData\Roaming\3575636.exe, PE32 7->32 dropped 34 C:\Users\user\AppData\...\LNIJ7WPRlR.exe.log, ASCII 7->34 dropped 68 May check the online IP address of the machine 7->68 70 Performs DNS queries to domains with low reputation 7->70 16 4945130.exe 1 4 7->16         started        20 3575636.exe 14 22 7->20         started        file5 signatures6 process7 dnsIp8 28 C:\Users\user\AppData\...\WinHoster.exe, PE32 16->28 dropped 44 Multi AV Scanner detection for dropped file 16->44 46 Detected unpacking (changes PE section rights) 16->46 48 Machine Learning detection for dropped file 16->48 23 WinHoster.exe 2 16->23         started        36 getdesignusa.xyz 104.21.14.85, 443, 49744, 49747 CLOUDFLARENETUS United States 20->36 50 Performs DNS queries to domains with low reputation 20->50 52 Tries to harvest and steal browser information (history, passwords, etc) 20->52 26 WerFault.exe 20 9 20->26         started        file9 signatures10 process11 signatures12 62 Multi AV Scanner detection for dropped file 23->62 64 Detected unpacking (changes PE section rights) 23->64 66 Machine Learning detection for dropped file 23->66
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d82cb4755924ead169ce150c3e22d12a1820d92e65bf5dfa4c7003b3147441f3/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-08-13 13:06:12 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  1/5
Verdict:
unknown
Similar samples:
03a6ed98578bd9fd4887b208203f0897c4b59a408e4562549e19448d77ea1669
RedLineStealer
06a2b3dae21085aa5cad1105ec7ae822e4e785c1adf314e3554d515474a322f4
RedLineStealer
075312ecbb4db40578c78ec9325d214e612cd19e89c9c43772a4e61219b6f1ff
RedLineStealer
52ac1e4535281dcbc751114fcd6cf12656d1754269bce5f24bfdae5be9640108
RedLineStealer
55da2aa80bd64db9aebd250ce15446ab248255669e64ef3353b7eaae000c6241
RedLineStealer
62cf8452627f42cc0f5655a12ef386c720e11f2fd2ad7ec64ea821184ffacc65
RedLineStealer
67b1a7835687bf5851cf29539b2d0ce90ab30d373edfcf9ee54237026c67df33
RedLineStealer
685933af075d310ddb454b399641cfdbf801441e5360df0e71204d63d2afc757
RedLineStealer
cb8679b5226b3f846932418f11d38b39bf6b315282f12a2a800ec913830e4ec8
RedLineStealer
+ 236 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence spyware stealer
Link:
https://tria.ge/reports/210813-s1t9k514qs/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
d82cb4755924ead169ce150c3e22d12a1820d92e65bf5dfa4c7003b3147441f3
MD5 hash:
681453e7b08df68d87e2389fd46f2fbc
SHA1 hash:
799b079e9efb3521bd6221f7b8d1ee0276586a78
Link:
https://www.unpac.me/results/8ce9dd35-0bc1-4ea9-94d3-1a44addd62ea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d82cb4755924ead169ce150c3e22d12a1820d92e65bf5dfa4c7003b3147441f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe d82cb4755924ead169ce150c3e22d12a1820d92e65bf5dfa4c7003b3147441f3

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/179005/
  
URLhaus
https://urlhaus.abuse.ch/url/1440660/
  
Delivery method
Distributed via web download

Comments